BGP and VPN
Hi,
We need to setup BGP network at our branch office so i wanted some of your opinions. Here is what I’m looking to setup.
Here is what I’m looking to setup.
2 Bandwidth providers FastE 10/100 with 4mb commit on both (multi-home)BGP.
Routing a /27
Usage is VPN ( 5 tunnels)and HTTP inbound and out.
I would say a constant 30mb usage 24/7
Not looking to go beyond 2 ISP and or 10/100
1. How about a single 2821 Sec/K9 with 256 RAM for the route tables.
2. Two 2811's, one 2811 with 256 RAM for the BGP and another 2811 Sec/K9 with 256 RAM for VPN.
3. One 2811/2821 with 256 RAM for the BGP and another ASA for VPN
Similar Messages
-
What is difference between BGP and MP-BGP? and what is the exact application of both?
Multiprotocol Extensions for BGP (MBGP), sometimes referred to as Multiprotocol BGP or Multicast BGP and defined in IETF RFC 4760, is an extension to Border Gateway Protocol that allows different types of addresses (known as address families) to be distributed in parallel. Whereas standard BGP supports only IPv4 unicast addresses, Multiprotocol BGP supports IPv4 and IPv6 addresses and it supports unicast and multicast variants of each. Multiprotocol BGP allows information about the topology of IP Multicast-capable routers to be exchanged separately from the topology of normal IPv4 unicast routers. Thus, it allows a multicast routing topology different from the unicast routing topology. Although MBGP enables the exchange of inter-domain multicast routing information, other protocols such as the Protocol Independent Multicast family are needed to build trees and forward multicast traffic.
Multiprotocol BGP is also widely deployed in case of MPLS L3 VPN, to exchange VPN labels learned for the routes from the customer sites over the MPLS network, in order to distinguish between different customer sites when the traffic from the other customer sites comes to the PE router for routing. -
Questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN Access
Hi there,
I want to ask a series of questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN access and was hoping whether you could help me. Below are my questions to ask you.
Outlook Web App - What do I need to configure in order to get my Exchange account to work with the OWA app on my iPhone? Is Office 360 required on the server that hosts Outlook Web App in our organisation? When I configure the settings and
connect I get the following message "couldn't connect - We couldn't connect to the server. Check your information and make sure it's correct." I can connect with other devices using Outlook Web App.
Remote Desktop - What do I need to configure in order to connect to my computer at work using Remote Desktop on my Windows Phone? When I configure the settings and connect I get the following message "Connection error - We couldn't connect
to the remote PC. Make sure the PC is turned on and connected to the network, and that remote access is enabled. Inquiring minds may find this error code helpful: 0x204" I can connect with other devices using Remote Desktop. There are currently no
RD Server settings in the Remote Desktop app on the Windows Phone and the only way I'm to connect to my PC at work is via Remote Desktop and not to be confused with the one by Microsoft, however the app is on a trial basis and times out every 5 minutes and
can only be used once every hour unless I purchased the app for £2.99 off the App Store but would ideally like to use the Microsoft Remote Desktop app though.
Remote Web Access - What do I need to configure in order to get Remote Web Access on my Windows Phone using a URL? When I log in using a URL I get the following message "There is a problem with this Web page. Please contact the person who manages
the server" I can connect with other devices using Remote Web Access. Also how do you enable the background option for Remote Web Access? I know how to do this in Remote Desktop but not in Remote Web Access. Remote Web Access works on PCs regardless
being onsite and offsite and on my iPhone, the same issue also occurs with my Nokia 5230s regardless of whether I'm using Opera Mobile or Mini or the latest Nokia Browser.
VPN access - How do you configure VPN access on a Windows Phone using VPN? I cannot find the protocols PPTP, L2TP, SSTP and IPsec in order to configure VPN access on the Windows Phone apart from IKEv2.
Many thanks,
RocknRollTimAny help would be much appreciated.
Kind regards,
RocknRollTim -
Do I need to use open directory on Yosemite Server, I'm only looking to use file sharing and VPN
I'm setting up a new mac mini server with Yosemite and I was wondering if there are any advantages or disadvantages to not using the open directory service? The only services I'm planning on using are File Sharing and VPN.
You don't need Open Directory unless you want to manage user accounts centrally on the server.
-
With Namit Agarwal and Rahul Govindan
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
This is a continuation of the live webcast.
Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.
Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
Remember to use the rating system to let Namit and Govindan know if you have received an adequate response.
Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
Webcast related links:
Slides from the live webcast
Video Recording of the live webcast
Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcastHello Namit and Rahul,
Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
1) How is ASA CX different from other UTM solutions ?
2) How is dynamic application inspection of CX better than other inspection engines ?
3) What features or functionalities on the CX are available by default ?
4) what are the different ways we can run or install CX on the ASA platform ?
5) What VPN features are supported with multi context ASA in the 9.x release ?
6) What are the IPv6 Enhancements in the ASA version 9.x ?
Request you to please provide your responses to them individually.
Thanks. -
Hi,
I am configuring 2 ASA5540 for internet trafic inside to outside ,
outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
In the doc I can configure them for internet trafic as Active/Standby or Active/active.
for vpn : I can use vpn load balancing
But no information if I want to use the active/passif and vpn load balancing together.
Any thoughts on which way to go? what is the best thing to do ?
RegardsHi,
I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
Hope it helps -
Using 802.1x and vpn on t-mobile hotspot
hi all,
how do i configure 802.1x and vpn to enhance security on t-mobile hotspot?
thanx for your help.Multi-Host is not the right option for you. In this Multi-Host only one device has to successfully authenticate to authenticate all device on that port.
You need to set host-mode to "multi-auth" -
Hello all,
I've been experimenting recently with MP-BGP and MPLS. I have no issues with how it works and how to implement and have a fully working lab however I am wondering whether there is a solution that exists in order to create a full mesh without on every PE router having to specify the IP address of every other PE router in the VPNv4 configuration. So the ideal scenario would be that i could add another site to my MPLS which will receive all routes from every other site without updating any configuration at any other site.
ThanksHi Mathew,
You can choose P1 or P2 as RR and configure a single MP-BGP session from PE devices to RR. Any new PE that you want to include will need configuraion changes on RR and the new PE alone. You dont need to add configuration on other exisitng PEs.
You can also play around with bgp dynamic neighbor to further reduce the configuration. But I ahvent used it myself and not sure if VPNv4 is supported.
-Nagendra -
Kindly Is the Linksys E4200 Dual Band Router compatible with DHCP and VPN ?
Kindly
Is the Linksys E4200 Dual Band Router compatible with DHCP and VPN?
Thanks,Linksys/Cisco E4200 are compatible with DHCP. Second, these Wireless-N routers are only capable of enabling the VPN traffic to pass through the device. You will need a VPN router and software to create the actual network to connect with your VPN client.
-
Cisco IOS supporting both voice and vpn
Hi Friends
i have one 2821 router.Can any one suggesting which ios will support both voice and vpn?Questions like this are better/faster answered by checking feature navigator.
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
My suggestion is to run an MD release.
Also a big dated document:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_tech_note09186a00800fb9d9.shtml
For old software and hardware you can also check out Figure 1 here:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_bulletin_c25_506007.html
M. -
Hello Everyone,
I have a need to multihome out two MAN links to the same ISP. The two links will connect via an ISR and will participate in an eBGP adjacency. On the internal side, iBGP will be used to create the alternate default route to the ISP. Each of the ISR’s downstream ports participates on the same Ethernet subnet. On the same subnet/broadcast domain, there are two ASA5510 appliances that will use HSRP to advertise the public IPv4 addresses and will NAT them into the private network.
My question is, since the ASAs do not participate in BGP, and since we are going to NAT the traffic eliminating the need to use a route map to inject the default route into the downstream EIGRP network, would I simply build a static default route in the ASAs out the upsteam interfaces? My initial thought is to not worry about recursive lookups because they are connected via Ethernet.
ip route 0.0.0.0 0.0.0.0 fa0/0; and so on.
I’ve attached a simple topology for reference.
Thanks…MattYes Jcarvaja, HSRP is not a feature on the ASAs, and yes HSRP is difficult to setup natively to support active/active load balancing on any device. That's not really the point though is it. FHRP's are typically used for distribution switches and finely tuned to access layer 2 and layer 3 convergence, unless using GLBP (and even then should be considered). My mistake for using the term HSRP and thank you for pointing it out.
As for the iBGP links, they represent the same subnet as I mentioned. The cat switches are there to facilitate physical restraints as each pair of ISRs and ASAs are two miles apart. Since the ASA's are performing NAT, they don't really participate in the BGP network and there is no need or capability to inject the BGP default route into the EIGRP network. They will participate in the downstream EIGRP network. If the MAN connection on one ISR goes down, then the iBGP route to the Internet will be graduated. I guess I could have indicated on the drawing that these were all a part of the same subnet.
How do I configure the ASA's static default route? Wouldn't I be able to inject a static default route in each ASA using the ASA's outside interface when using active/active? If I have to, I could see if we can use EIGRP on the network upstream of the ASAs if there is no other way of doing this, but this is not preferred.
Any help you can provide is greatly appreciated.
Thank you...Matt -
Secured server with SSH and VPN?
Hi,
Have an Archbox at home and when I'm traveling I would like to connect to my Archlinux box at home to grab files and such things.
Using ADSL with a static IP and a D-Link router.
If I create a portfowarding rule of port 443 to my Archlinux box and user it to connect with SSH and VPN is that secured enought?
I have family photos and stuff on the server that I don't want to be hacked or spread. Not a high target for hackers but for scriptkiddies!
So, will a portforwarding rule and a use of SSH daemon and a VPN Server software make me secure all the way, the VPN and SSH is encrypted right?
Any suggestions of a good VPN application?
Server daemon for the "archserver" and clients for my laptop with dualboot, vista and archlinux.Yeah, SSH or OpenVPN should be perfectly fine.
However, why port 443? If someone is scanning a large range of IP-addresses for commonly open ports to find active servers, they will most likely scan port 21, 22, 25, 80, 110, 443, etc. as these ports usually run the most interesting services.
Since it has no impact on the usability, choose a high port, between 10000-65000, which is not commonly used. That way your system will not be identified as active by a simple portscan searching for active servers.
You don't have to be worried about attacks targeted directly against you, if you don't have anything interesting on your system, a cracker wouldn't spend time on manually breaking into your system. Just mask yourself from worms etc. by using uncommon ports. Using SSH or OpenVPN will handle encryption, which ensures data integrity, even when you're connected to an unencrypted hotspot somewhere in the world on your vacation
If you setup OpenVPN, you'll also have the possibility of routing all your Internet traffic throught your home system, which can be very handy in terms of surfing and checking mail from unencrypted hotspots around the world. -
I need to know how to configure wi-fi and VPN on m...
I need to know how to configure wi-fi and VPN on my E61i.
everytime I search for any available WLAN,I find one(in my company)and when start browsing,it gives me(WLAN not found).
What should I do?iOS: Connecting to the Internet
-
Design Help with MPLS/BGP and Point to Point VPNs using OSPF as backup
I need some advice on the configuration I want to implement. Basically we have a MPLS cloud using BGP. We are using OSPF for internal routing. Everything is working fine. Now we want to add a Point to Point VPN using new Cisco ASA's for a backup path at all of our remote locations. We want it to be on standby. I want to use OSPF for this. Miami and LA are datacenters. I want the VPN's to go into both datacenters if possible running OSPF for backups. I have a feeling this will be very tricky. I also wanted to use floating routes. Now I know I get the VPN's up and running using OSPF with no problem. Here are my questions:
But being that I am using different areas, will OSPF through the VPN work correctly? I have the Cisco PDF on setting this up but it looks like they are using the same, AREA0, in the example.
Can I get both VPN's to work with no problems? Or will it be too much of a pain?
What would you guys suggest?
Thanks.We are implementing the same solution, and was only able to make this work using HSRP one router for the MPLS connection and one for the VPN tunnel. I opened a TAC case and the tech couldn't get it to work either. I was able to establish the Lan-2-lan tunnel but triggering the route update was the problem. We ended up pulling our ASA5505's out and putting in 1841 routers.
-
Cisco 1700 with MP-BGP and VRF support
I have a Cisco 1721 with MP-BGP Support, you can create VRFs with it and every other MPLSVPN feature, but the commands for MPLS switching are not supported like Router(config-if)mpls ip , I read in some forums that you can create MPLS VPN without enabling MPLS at all, just with MPBGP, but I couldn't do it myself, Can someone tell me how to make it work or what can I do with a Cisco 1721 that supports MP-BGP?
thanks in advanceHere is an example. Take care about overhead for packets like VoIP. The overhead is 88 bytes.
The packet semms something like that.
IpHeader-pub@ - NAT-Tudp4500 - ESP - IpHeader-priv@(vrf discriminator) - GRE - Original IP Header - Data - Esp Trailer.
In this case you neet tunnel-mode because you use
private @ in order to determine vrf (vrf discriminator).
This is a LAB config, all other security parameters you need on a router are not configured. If you add access-list on the external interface of REMOTE you have to understand every encapsulation step in order to well tune it.
Good reading.
The PPT draw shows physically and logically views.
PS, take care about fragmentation issues, the problematic is still not well managed by the routers, I could not made Tunnel-path-mtu discovery work with vrf's. The workaround is to fragment packets. It's not good for performance but actually there is no other solution concerning that.
Kind Regards
Miguel
Maybe you are looking for
-
How to publish iWeb on Drop Box
How do I publish an iWeb site using drop box?
-
How can I reinstall printer software only from the original install disks?
my imac 17" printer software got corrupted and I can't use my new printer. Is there a way to just install all the original printer software from my original disks that came with the mac? I have updated all the software on the mac and don't want to go
-
Installing support for Oracle Designer Objects in an existing repository
We have been using SCM to store Forms and other files for our development work. Now I want to use Repository Reports in the Repository Object Navigator, this requires me to install support for Oracle Designer Objects. Can I use the Repository Adminis
-
Can't re-install OSX 10.1 on iBook G3 700 MHz
Hey, When I try and install the OS either by software restore or the OSX disc itself, it can't find the HD. A previous install attempt went sour and now I think I'm paying the price. I think the HD is okay physically. I have a powerbook and external
-
Re: Subscription no available in my region
Hi I am also having similar problem. Please share withme if you get a soution. Kind regards KA